Full Disclosure mailing list archives
Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service
From: "Hotmail" <se_cur_ity () hotmail com>
Date: Wed, 23 Apr 2003 11:41:23 -0700
ROFLMFAO morning_wood http://exploit.wox.org ----- Original Message ----- From: "badpack3t" <badpack3t () security-protocols com> To: <che () secunia com> Cc: <vulnwatch () vulnwatch org>; <FullDisclosure () security-protocols com>; <full-disclosure () lists netsys com>; <bugtraq () securityfocus com> Sent: Wednesday, April 23, 2003 9:31 AM Subject: Re: [Full-disclosure] Secunia Research: Xeneo Web Server URL Encoding Denial of Service
Nice try lamers. I found this vulnerability and published it on April 21. Try reading your mail lists before sending out advisories. Links: http://www.security-protocols.com/article.php?sid=1480&mode=thread&order=0 http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html --------------------------- badpack3t www.security-protocols.com ---------------------------====================================================================== Secunia Research 23/04/2003 - Xeneo Web Server URL Encoding Denial of Service - ====================================================================== Receive Secunia Security Advisories for free: http://www.secunia.com/secunia_security_advisories/ ====================================================================== Table of Contents 1....................................................Affected Software 2.............................................................Severity 3.....................................Vendor's Description of Software 4.........................................Description of Vulnerability 5.............................................................Solution 6...........................................................Time Table 7..............................................................Credits 8........................................................About Secunia 9.........................................................Verification ====================================================================== 1) Affected Software Xeneo Web Server 2.2.9 and prior. ====================================================================== 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From Remote ====================================================================== 3) Vendor's Description of Software "Xeneo Web Server is designed to deliver high performance and reliability. It can be easily extended and customized to host everything from a personal web site to advanced web applications that use ASP, PHP, ColdFusion, Perl, CGI and ISAPI." "Key Xeneo Web Server features include: multiple domain support, integrated Windows authentication, scripting interface, enhanced filter support, ISAPI, CGI, ASP, SSL, intelligent file caching and more." Vendor: http://www.northernsolutions.com ====================================================================== 4) Description of Vulnerability A vulnerability in Xeneo Web Server can be exploited by malicious people to cause a DoS (Denial of Service) on the web service. The vulnerability is caused due to an error in the handling of requests including a malformed URL encoding representation of a character. By sending a request like the following, "xeneo.exe" will crash with a runtime error. Example: http://[victim]/%A The web service needs to be restarted manually before functionality is restored. ====================================================================== 5) Solution The vendor quickly responded by releasing version 2.2.10.
http://www.northernsolutions.com/index.php?view=product&sec=download&id=1
====================================================================== 6) Time Table 22/04/2003 - Vulnerability discovered. 22/04/2003 - Vendor notified. 23/04/2003 - Vendor response. 23/04/2003 - Public disclosure. ====================================================================== 7) Credits Discovered by badpack3t, www.security-protocols.com. ====================================================================== 8) About Secunia Secunia collects, validates, assesses and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://www.secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://www.secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://www.secunia.com/secunia_research/2003-5/ ====================================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Secunia Research: Xeneo Web Server URL Encoding Denial of Service Carsten H. Eiram (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service badpack3t (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service GaLiaRePt (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service Hotmail (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service badpack3t (Apr 23)